This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Price: RSA SecurID tokens: $50-60/user; Authentication Manager: $45-55/user
|RSA SecurID 6.0 for Windows|
With the newest version of its venerable SecurID, RSA Security addresses the inherent weakness of password-based security using a key fob that generates unique one-time passcodes every minute. SecurID has been around since the mid-'80s, but, for the first time, RSA SecureID 6.0 for Windows extends two-factor authentication to domain resources and offline users.
Passwords are an administrative headache and a security risk. Static passwords can be used repeatedly if they're stolen, but strong passwords are difficult to remember--they're long and filled with combinations of numbers, letters and characters. The common result is help desks swamped with calls about forgotten passwords. With SecurID, the user only needs to remember a four-digit PIN combined with their SecurID's one-time passcode to gain access.
In the background, an authentication agent verifies the password, and the RSA Authentication Manager (formerly called the RSA ACE/Server) decrypts the actual Windows password and supplies it and the UserID to Active Directory.
SecurID 6.0 adds two-factor authentication for systems that are offline from the network, such as laptops. This is enabled by the Authentication Manager, which provides a series of precalculated authentication codes securely hashed and stored on the mobile device. The authentication agent acts as a mini-ACE/ Server and will compare the user-supplied information to the stored codes. The offline module decrypts the locally stored Windows password and passes it to the Windows logon mechanism. The administrative console logs are updated the next time the user logs on to the network to provide an audit trail. Organizations can also set the maximum number of days a mobile, offline device can be authenticated before the user has to synchronize with the network. However, this has to be applied globally to be effective. RSA says the next version will allow this to be set by group.
Security managers will like RSA's improved support for AD, which was somewhat lacking in the previous version. During testing, we validated its ability to allow/deny login both offline and online, and received warnings when we were running out of the allowed offline days. As a security admin, we were able to provide emergency access when users ran out of offline login days or when they "lost" the fob that generates their one-time passwords. The system "recharged" the number of offline days allowed once the device reconnected to the domain. One change we did have to make on each Windows XP client with SP2 using Microsoft's Windows Firewall was to open port 2334 inbound to allow SecurID's authentication to work. This presents a potential vulnerability, especially for remote users.
Soon, RSA will support a USB key that will allow Windows users to authenticate without entering a one-time code.
With SecurID 6.0 for Windows, RSA provides the kind of authentication that networks and mobile-user needed to secure today's enterprise environments.
This was first published in January 2005